IPFW eXtended tables [Was: Re: IPFW tables, dummynet and IPv6]
Hello everyone.
Final patch version now uses single IP_FW3 socket option.
Together with other changes this makes me think such changes should be
reviewed by a wider number of people. If there are no
objections/comments I plan to commit this on tuesday.
Changes:
* Tables (actually, radix trees) are now created/freed on demand.
* Tables can be of different types (CIDR and interfaces are supported at
the moment)
* Each tables has 2 pointers (basic and eXtended tree) which are
initialized independently permitting both IPv4/IPv6 address to be
specified in the same table without performance loss
* Every new opcode uses IP_FW3 socket option
This change does not break ABI, old ipfw(8) binary can configure IPv4
addresses on CIDR-type tables and flush every table.
Index: sbin/ipfw/ipfw2.c
===
--- sbin/ipfw/ipfw2.c (revision 228874)
+++ sbin/ipfw/ipfw2.c (working copy)
@@ -42,6 +42,8 @@
#include timeconv.h /* _long_to_time */
#include unistd.h
#include fcntl.h
+#include sys/param.h /* MIN */
+#include stddef.h/* offsetof */
#include net/ethernet.h
#include net/if.h/* only IFNAMSIZ */
@@ -57,6 +59,12 @@ struct cmdline_opts co; /* global options */
int resvd_set_number = RESVD_SET;
+int ipfw_socket = -1;
+
+#ifndef s6_addr32
+#define s6_addr32 __u6_addr.__u6_addr32
+#endif
+
#define GET_UINT_ARG(arg, min, max, tok, s_x) do { \
if (!av[0]) \
errx(EX_USAGE, %s: missing argument, match_value(s_x, tok)); \
@@ -370,33 +378,65 @@ safe_realloc(void *ptr, size_t size)
int
do_cmd(int optname, void *optval, uintptr_t optlen)
{
- static int s = -1; /* the socket */
int i;
if (co.test_only)
return 0;
- if (s == -1)
- s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
- if (s 0)
+ if (ipfw_socket == -1)
+ ipfw_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (ipfw_socket 0)
err(EX_UNAVAILABLE, socket);
if (optname == IP_FW_GET || optname == IP_DUMMYNET_GET ||
- optname == IP_FW_ADD || optname == IP_FW_TABLE_LIST ||
- optname == IP_FW_TABLE_GETSIZE ||
+ optname == IP_FW_ADD || optname == IP_FW3 ||
optname == IP_FW_NAT_GET_CONFIG ||
optname 0 ||
optname == IP_FW_NAT_GET_LOG) {
if (optname 0)
optname = -optname;
- i = getsockopt(s, IPPROTO_IP, optname, optval,
+ i = getsockopt(ipfw_socket, IPPROTO_IP, optname, optval,
(socklen_t *)optlen);
} else {
- i = setsockopt(s, IPPROTO_IP, optname, optval, optlen);
+ i = setsockopt(ipfw_socket, IPPROTO_IP, optname, optval,
optlen);
}
return i;
}
+/*
+ * do_setcmd3 - pass ipfw control cmd to kernel
+ * @optname: option name
+ * @optval: pointer to option data
+ * @optlen: option length
+ *
+ * Function encapsulates option value in IP_FW3 socket option
+ * and calls setsockopt().
+ * Function returns 0 on success or -1 overwise.
+ */
+int
+do_setcmd3(int optname, void *optval, socklen_t optlen)
+{
+ socklen_t len;
+ ip_fw3_opheader *op3;
+
+ if (co.test_only)
+ return (0);
+
+ if (ipfw_socket == -1)
+ ipfw_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (ipfw_socket 0)
+ err(EX_UNAVAILABLE, socket);
+
+ len = sizeof(ip_fw3_opheader) + optlen;
+ op3 = alloca(len);
+ /* Zero reserved fields */
+ memset(op3, 0, sizeof(ip_fw3_opheader));
+ memcpy(op3 + 1, optval, optlen);
+ op3-opcode = optname;
+
+ return setsockopt(ipfw_socket, IPPROTO_IP, IP_FW3, op3, len);
+}
+
/**
* match_token takes a table and a string, returns the value associated
* with the string (-1 in case of failure).
@@ -3854,7 +3894,7 @@ ipfw_flush(int force)
}
-static void table_list(ipfw_table_entry ent, int need_header);
+static void table_list(uint16_t num, int need_header);
/*
* This one handles all table-related commands
@@ -3866,12 +3906,12 @@ ipfw_flush(int force)
void
ipfw_table_handler(int ac, char *av[])
{
- ipfw_table_entry ent;
+ ipfw_table_xentry xent;
int do_add;
int is_all;
size_t len;
char *p;
- uint32_t a;
+ uint32_t a, type, mask, addrlen;
uint32_t tables_max;
len = sizeof(tables_max);
@@ -3886,18 +3926,20 @@ ipfw_table_handler(int ac, char *av[])
#endif
}
+ memset(xent, 0, sizeof(xent));
+
ac--; av++;
if (ac isdigit(**av)) {
- ent.tbl = atoi(*av);
+ xent.tbl = atoi(*av);
is_all = 0;
ac--; av++;
} else if (ac _substrcmp(*av, all) == 0) {
- ent.tbl = 0;
+
Re: IPFW eXtended tables [Was: Re: IPFW tables, dummynet and IPv6]
On 25. Dec 2011, at 14:59 , Alexander V. Chernikov wrote: Hello everyone. Final patch version now uses single IP_FW3 socket option. Together with other changes this makes me think such changes should be reviewed by a wider number of people. If there are no objections/comments I plan to commit this on tuesday. Aehm if you want review by a larger number of people and maybe some testing, 2 days, especially over the holiday season is far from reasonable. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: IPFW eXtended tables [Was: Re: IPFW tables, dummynet and IPv6]
At the moment maximum number of tables remains the same however it is now possible to define IPFW_TABLES_MAX to 65k without much (memory) overhead. Since pointer to tables are stored in array, defining 2^32 tables require 4G * (8+8+1) memory for pointers only. 65k is also a good amount. Gives me 10 tables per vlan. :) By the way, I see two possible syntax changes for interface tables: ipfw add .. skipto tablearg ip from any to any lookup src-iface|dst-iface|iface or ipfw add .. skipto tablearg ip from any to any recv|xmit|via table(X) Personally I like 'lookup' variant. recv|xmit|via is in the ipfw spirit, so while personal tastes are always important, I would personally keep it consistent. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: IPFW tables, dummynet and IPv6
On Sun, Dec 18, 2011 at 03:58:30PM +0400, Alexander V. Chernikov wrote: Pawel Tyll wrote: Hi lists, Are there any plans to implement IPv6 tables in ipfw? It would seem that our gov. may want to force us into IPv6 in 6 months ;) I've got working implementation for IPv4+IPv6 and interface tables: 15:56 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 2 list 1.2.3.4/30 0 2a02:978::/64 0 15:16 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 4 list em4/em4 2 vlan144/vlan144 1 vlan145/vlan145 11000 vlan146/vlan146 12000 I plan to commit it today/tomorrow. 8.2-S diff will be available, too 1; -- ;s =; ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: IPFW tables, dummynet and IPv6
Pawel Tyll wrote: Hi lists, Are there any plans to implement IPv6 tables in ipfw? It would seem that our gov. may want to force us into IPv6 in 6 months ;) I've got working implementation for IPv4+IPv6 and interface tables: 15:56 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 2 list 1.2.3.4/30 0 2a02:978::/64 0 15:16 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 4 list em4/em4 2 vlan144/vlan144 1 vlan145/vlan145 11000 vlan146/vlan146 12000 I plan to commit it today/tomorrow. 8.2-S diff will be available, too Cheers. ___ freebsd-...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org signature.asc Description: OpenPGP digital signature
Re: IPFW tables, dummynet and IPv6
Hi Alexander, I've got working implementation for IPv4+IPv6 and interface tables: Lately every time I have some kind of problem, you come with a solution ready : Thanks for the heads-up! ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
IPFW tables, dummynet and IPv6
Hi lists, Are there any plans to implement IPv6 tables in ipfw? It would seem that our gov. may want to force us into IPv6 in 6 months ;) Cheers. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: IPFW tables, dummynet and IPv6
On Sun, Dec 18, 2011 at 3:58 AM, Alexander V. Chernikov melif...@freebsd.org wrote: Pawel Tyll wrote: Hi lists, Are there any plans to implement IPv6 tables in ipfw? It would seem that our gov. may want to force us into IPv6 in 6 months ;) I've got working implementation for IPv4+IPv6 and interface tables: 15:56 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 2 list 1.2.3.4/30 0 2a02:978::/64 0 15:16 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 4 list em4/em4 2 vlan144/vlan144 1 vlan145/vlan145 11000 vlan146/vlan146 12000 I plan to commit it today/tomorrow. 8.2-S diff will be available, too Thanks! I've been wanting this for a long time as working around it involved some really, really ugly hacks if you must support IPv6 (which we do). -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
